Hello Jorge,
you have to enable radius-acct service.
It´s radius-acct who is able to proxy the request to another server, not
pfacct (btw you can keep it enabled).
Regards
Fabrice
Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <jno...@gmail.com> a écrit :
>
> Another configuration file with references to the billing server Splynx:
>
> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm
> package multi_domain_constants;
>
> our $VAR1 = {
> '1' => {
> 'ConfigRealm' => {
> 'local' => {
> 'radius_strip_username'
> => 'disabled',
> 'eap' => 'default',
> 'admin_strip_username'
> => 'disabled',
> 'portal_strip_username'
> => 'disabled'
> },
> 'default' => {
>
> 'radius_acct_proxy_type' => 'load-balance',
>
> 'radius_auth_compute_in_pf' => 'disabled',
>
> 'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>
> 'radius_auth_proxy_type' => 'keyed-balance',
>
> 'portal_strip_username' => 'disabled',
>
> 'admin_strip_username' => 'disabled',
> 'radius_auth' => '',
>
> 'radius_strip_username' => 'disabled',
> 'eap' => 'default',
> 'eduroam_radius_acct'
> => '',
>
> 'eduroam_radius_acct_proxy_type' => 'load-balance',
>
> 'permit_custom_attributes' => 'disabled',
>
> 'eduroam_radius_auth_compute_in_pf' => 'enabled',
> 'eduroam_radius_auth'
> => '',
> 'radius_acct' => ''
> },
> 'null' => {
> 'eap' => 'default',
> 'radius_strip_username'
> => 'disabled',
> 'admin_strip_username'
> => 'disabled',
> 'portal_strip_username'
> => 'disabled'
> },
> 'fispy.mx' => {
>
> 'eduroam_radius_acct' => '',
> 'eap' => 'default',
>
> 'radius_strip_username' => 'enabled',
>
> 'admin_strip_username' => 'enabled',
> 'radius_auth' =>
> 'Splynx',
>
> 'portal_strip_username' => 'enabled',
>
> 'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>
> 'radius_auth_proxy_type' => 'keyed-balance',
>
> 'radius_acct_proxy_type' => 'load-balance',
>
> 'radius_auth_compute_in_pf' => 'enabled',
>
> 'eduroam_radius_auth' => '',
> 'radius_acct' =>
> 'Splynx',
>
> 'eduroam_radius_auth_compute_in_pf' => 'enabled',
>
> 'eduroam_radius_acct_proxy_type' => 'load-balance',
>
> 'permit_custom_attributes' => 'disabled'
> }
> },
> 'ConfigDomain' => {},
> 'ConfigOrderedRealm' => [
> 'default',
> 'local',
> 'null',
> 'fispy.mx'
> ]
> },
> '0' => {
> 'ConfigDomain' => {},
> 'ConfigRealm' => {},
> 'ConfigOrderedRealm' => []
> }
> };
> our $DATA = $VAR1;
> 1;
> [root@wifi raddb]#
>
>
>
> On Feb 9, 2022, at 5:19 PM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Hi Team,
>
> Still can’t get accounting to proxy to the billing server. I don’t see the
> configuration on the proxy.conf so I imagine is pulling from this file.
>
>
> [root@wifi raddb]# cat proxy.conf.inc
> # This file is generated from a template at
> /usr/local/pf/conf/radiusd/proxy.conf.inc
> # Any changes made to this file will be lost on restart
>
> # Eduroam integration is not configured
>
> realm default {
>
> }
> realm local {
>
> }
> realm null {
>
> }
> realm fispy.mx {
>
> auth_pool = auth_pool_fispy.mx
> acct_pool = acct_pool_fispy.mx
> }
> home_server_pool auth_pool_fispy.mx {
> type = keyed-balance
> home_server = Splynx
> }
>
> home_server_pool acct_pool_fispy.mx {
> type = load-balance
> home_server = Splynx
> }
>
>
> realm eduroam.default {
>
> }
>
> realm eduroam.local {
>
> }
>
> realm eduroam.null {
>
> }
>
> realm eduroam.fispy.mx {
>
> }
>
>
>
>
> home_server Splynx {
> ipaddr = 10.0.254.100
> port = 1812
> secret = @Put@Madr3
> type = auth+acct
> status_check = status-server
> }
>
>
>
> # pfacct configuration
>
> realm pfacct {
> acct_pool = pfacct_pool
> nostrip
> }
>
> home_server_pool pfacct_pool {
> home_server = pfacct_local
> }
>
> home_server pfacct_local {
> type = acct
> ipaddr = 127.0.0.1
> port = 1813
> secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0'
> src_ipaddr = 10.0.255.99
> }
>
> On Feb 8, 2022, at 11:51 AM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Fabrice,
>
> For some reason I cannot get accounting forwarding to the Billing/Radius
> Server. This server has the plans for the customers.
>
> <Screen Shot 2022-02-08 at 11.48.23 AM.png>
>
>
> <Screen Shot 2022-02-08 at 11.50.20 AM.png>
>
>
> <Screen Shot 2022-02-08 at 11.48.01 AM.png>
>
>
> <Screen Shot 2022-02-08 at 11.51.33 AM.png>
>
> On Feb 8, 2022, at 11:39 AM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Hi Fabrice,
>
> It worked. I had to change to HTTPS and DNS for the cert on the server to
> work. We also changed the method to GET. Will try POST, not sure if this
> will make a difference.
>
> my $html_form = qq[
> <form name="weblogin_form" data-autosubmit="1000" method="GET"
> action="https://portal.fispy.mx:8443/login";>
> <input type="hidden" name="username" value="$mac">
> <input type="hidden" name="password" value="$mac">
> </form>
> <script src="/content/autosubmit.js" type="text/javascript"></script>
>
> Here is the a sample of the radius info on PF. Top entry is with new
> configuration MAC address as username. Bottom one is the old configuration,
> where we were submitting the url request manually.
>
> <Screen Shot 2022-02-08 at 11.34.52 AM.png>
>
>
> On Feb 8, 2022, at 9:30 AM, Fabrice Durand <oeufd...@gmail.com> wrote:
>
> Yes, that's it.
>
> Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <jno...@gmail.com> a écrit :
>
>> Fabrice,
>>
>> The document you had provided didn’t layout the configuration steps. I
>> think this might be the correct document for the configuration you are
>> referring. If you have a chance take a look and let me know.
>>
>> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064
>>
>>
>>
>> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com> wrote:
>>
>> You can try that instead:
>>
>> my $html_form = qq[
>> <form name="weblogin_form" data-autosubmit="1000" method="POST"
>> action="http://$controller_ip:8443/login";>
>> <input type="hidden" name="username" value="$mac">
>> <input type="hidden" name="password" value="$mac">
>> </form>
>> <script src="/content/autosubmit.js"
>> type="text/javascript"></script>
>> ];
>>
>> It will pass the mac address of the device in the radius request as
>> username and password instead of the real username and password who has
>> been authenticated previously on the portal.
>> Then you just need to configure the registration role in the switch
>> configuration to be -1 (packetfence side) and if the device is unreg then
>> the request will be rejected.
>>
>>
>> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com> a écrit :
>>
>>> Hi Fabrice,
>>>
>>> Let me check what the difference is in configuration on the AC side,
>>> I’ll report within the hour. Any clues as to why the parameters are not
>>> being passed?
>>>
>>>
>>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> wrote:
>>>
>>> Hello Jorge,
>>>
>>> i really think that it´s not the correct way to support the web auth in
>>> Huawei.
>>> The only thing you can do with the portal is to authenticate with a
>>> username and password, there is no way to do anything else
>>> (sms/email/sponsor/....).
>>>
>>> Also when you authenticate on the portal , the portal validate your
>>> username and password and with the workflow you have it will authenticate
>>> twice (portal and radius) and it doesn´t make sense.
>>>
>>> So if you want to keep this way then you will need a simple html page
>>> with a username and password field that post on
>>> https://portal.fispy.mx:8443/login then configure packetfence to
>>> authenticate the username and password from radius.
>>>
>>> The other way who looks really better is to use that: (
>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
>>> )
>>>
>>> <download.png>
>>>
>>> As i said , it´s exactly how it works with the cisco wlc and it will
>>> support all authentication mechanisms available on the portal.
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>>
>>>
>>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com> a écrit :
>>>
>>>>
>>>> Radius request from the AC once it receives the correct values. This is
>>>> sent back to Radius which in this case is PF
>>>>
>>>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* User-Password
>>>> = "******” *<<< VALUE NEEDED IN URL as password* NAS-IP-Address =
>>>> 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP
>>>> Framed-IP-Address = 10.9.91.31 Called-Station-Id =
>>>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9"
>>>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11
>>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" Event-Timestamp =
>>>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id =
>>>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address =
>>>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name =
>>>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2
>>>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced =
>>>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99"
>>>> SQL-User-Name = "5blz"
>>>>
>>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>
>>>> Hi Fabrice,
>>>>
>>>> I did hardcode as follow:
>>>>
>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" action="
>>>> https://portal.fispy.mx:8443/login?username=bob&password=bob";
>>>> style="display:none">
>>>>
>>>> But the redirect which the client is getting, is only this part, not
>>>> sure why:
>>>>
>>>> https://portal.fispy.mx:8443/login?
>>>>
>>>>
>>>> Here is the flow of the External Portal Authentication as per Huawei.
>>>> Portal Server - Notify the STA of the login URL
>>>> STA - Send the username and password in HTTP GET POST. When this is
>>>> configured to use ISE as per the guide, the ISE server sends the redirect
>>>> to the STA as per the format.
>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>
>>>>
>>>> <PastedGraphic-1.tiff>
>>>>
>>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com> wrote:
>>>>
>>>> Did you try to hardcode that in the code and see if it works ?
>>>>
>>>> Also i don´t understand the goal of passing the username and password ,
>>>> is there any extra check after that ? What happen if the user register by
>>>> sms/email ?
>>>>
>>>> And i just found that:
>>>>
>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
>>>> Is it something that can be configured on the Hawei ? If yes then it
>>>> will mimic the way the Cisco WLC works.
>>>>
>>>> Regards
>>>> Fabrice
>>>>
>>>>
>>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com> a écrit :
>>>>
>>>>> Hi Fabrice,
>>>>>
>>>>> This line needs to be HTTPS for it to work
>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" action="
>>>>> http://$controller_ip:8443/login?username=bob&password=bob";
>>>>> style="display:none”>
>>>>>
>>>>> This needs to be the username and password which is being entered by
>>>>> the user in the PF portal, which is the Radius username and password
>>>>> username=bob&password=bob
>>>>>
>>>>>
>>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> I just pushed a fix.
>>>>>
>>>>> cd /usr/local/pf
>>>>> curl
>>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
>>>>> | patch -p1
>>>>> and restart
>>>>>
>>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com> a écrit :
>>>>>
>>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>>>>>>
>>>>>>
>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected as an
>>>>>> external captive portal URI (pf::web::externalportal::handle)
>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module for
>>>>>> switch
>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type
>>>>>> perl module have compilation errors. See the following message for
>>>>>> details:
>>>>>> (pf::web::externalportal::handle)
>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected as an
>>>>>> external captive portal URI (pf::web::externalportal::handle)
>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module for
>>>>>> switch
>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type
>>>>>> perl module have compilation errors. See the following message for
>>>>>> details:
>>>>>> (pf::web::externalportal::handle)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>
>>>>>> Here is the output for HAProxy
>>>>>>
>>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814
>>>>>> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ 10.0.255.99-backend/
>>>>>> 127.0.0.1 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx}
>>>>>> "GET
>>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9
>>>>>> HTTP/1.1”
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>
>>>>>> Hi Fabrice,
>>>>>>
>>>>>> From the Pf portal after the patch is applied.
>>>>>>
>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not
>>>>>> supported.
>>>>>>
>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>> This is the only option on the config.
>>>>>>
>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png>
>>>>>>
>>>>>>
>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>
>>>>>> Hi Fabrice,
>>>>>>
>>>>>> Getting an error page from PF
>>>>>>
>>>>>> Not Implemented
>>>>>> GET no supported for current URL.
>>>>>>
>>>>>> How is the switch supposed to be defined in PF?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> I am just not sure what to set for username and password, if you do
>>>>>> sms auth then there is no password.
>>>>>>
>>>>>> Also in the url it looks that it miss the mac address of the device ,
>>>>>> can you try to add device-mac and see if the device mac is in the url ?
>>>>>>
>>>>>> Here the first draft:
>>>>>>
>>>>>>
>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>>
>>>>>> cd /usr/local/pf/
>>>>>> curl
>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>> | patch -p1
>>>>>>
>>>>>> then restart packetfence.
>>>>>>
>>>>>> On the controller:
>>>>>>
>>>>>> url-template name PacketFence
>>>>>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal>
>>>>>> Hawei
>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid
>>>>>> ssid user-mac ap-mac
>>>>>>
>>>>>> So when the device will be forwarded to the portal it should be able
>>>>>> to recognise the mac address and the ip of the device (in the bottom).
>>>>>>
>>>>>> Register on the portal and you should be forwarded to
>>>>>> http://$controller_ip:8443/login?username=bob&password=bob
>>>>>>
>>>>>> Let me know how it behave.
>>>>>>
>>>>>> Regards
>>>>>> Fabrice
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com> a
>>>>>> écrit :
>>>>>>
>>>>>>> Hi Fabrice
>>>>>>>
>>>>>>> This is the GET the AC is expecting:
>>>>>>>
>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>
>>>>>>> If successful it will return as per image below. If it fails the AC
>>>>>>> will redirect back to the Portal
>>>>>>>
>>>>>>> <WebAuthentication.png>
>>>>>>>
>>>>>>>
>>>>>>> Here is the configuration:
>>>>>>>
>>>>>>> url-template name PacketFence
>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>> url-parameter login-url destination_url
>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>
>>>>>>>
>>>>>>> HA Proxy output
>>>>>>>
>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266
>>>>>>> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~
>>>>>>> 10.0.255.99-backend/
>>>>>>> 127.0.0.1 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 {
>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url=
>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>> HTTP/1.1"
>>>>>>>
>>>>>>> Only problem is that PacketFence is not updating the dynamic values
>>>>>>> with username and password for it to work
>>>>>>>
>>>>>>> AC = Access Controller. This manages the APs’ as they are operating
>>>>>>> in Fit/Lightweight mode.
>>>>>>> AP = Access Points. These are the actual radios.
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Jorge
>>>>>>>
>>>>>>>
>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hello Jorge,
>>>>>>>
>>>>>>> i have what i need at least to be able to support the web-auth.
>>>>>>> The only thing i am not sure is at the end of the registration
>>>>>>> process what we are supposed to do.
>>>>>>>
>>>>>>> I will create a branch on github in order for you to test. (it will
>>>>>>> be an update of the Huawei switch module).
>>>>>>>
>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?
>>>>>>>
>>>>>>> Regards
>>>>>>> Fabrice
>>>>>>>
>>>>>>>
>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com> a
>>>>>>> écrit :
>>>>>>>
>>>>>>>> If I try to manually send the redirect in the browser here is what
>>>>>>>> HA proxy records. This is a simple copy and paste in the browser and
>>>>>>>> the
>>>>>>>> output:
>>>>>>>>
>>>>>>>> https://wifi.fispy.mx/captive-portal?destination_url=
>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>>
>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
>>>>>>>> /captive-portal?destination_url=
>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>> HTTP/1.1"
>>>>>>>>
>>>>>>>>
>>>>>>>> It doesn’t let it go through as it seems that is trying to validate
>>>>>>>> network connectivity
>>>>>>>>
>>>>>>>>
>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Seems weird how the format of the URL is recorded/sent
>>>>>>>>
>>>>>>>>
>>>>>>>> Here is a normal redirect, the url is formatted correctly,
>>>>>>>>
>>>>>>>>
>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
>>>>>>>> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~
>>>>>>>> 10.0.255.99-backend/
>>>>>>>> 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 {
>>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url=
>>>>>>>> https://www.fispy.mx/ HTTP/1.1"
>>>>>>>>
>>>>>>>> I’m not sure why the value sent by the AP has all the % and weird
>>>>>>>> symbols
>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Fabrice,
>>>>>>>>
>>>>>>>> Here are the options that can be added:
>>>>>>>>
>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>>>>>>>> ap-group-name AP group name
>>>>>>>> ap-ip AP IP address
>>>>>>>> ap-location AP location
>>>>>>>> ap-mac AP MAC address
>>>>>>>> ap-name AP name
>>>>>>>> device-ip Device IP address
>>>>>>>> device-mac Device MAC address
>>>>>>>> login-url Device's login URL provided to the external
>>>>>>>> portal server
>>>>>>>> mac-address Mac address
>>>>>>>> redirect-url The url in user original http packet
>>>>>>>> set Set
>>>>>>>> ssid SSID
>>>>>>>> sysname Device name
>>>>>>>> user-ipaddress User IP address
>>>>>>>> user-mac User MAC address
>>>>>>>>
>>>>>>>>
>>>>>>>> url-template name PacketFence
>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid
>>>>>>>> user-mac ap-mac
>>>>>>>>
>>>>>>>>
>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9
>>>>>>>> HTTP/1.1"
>>>>>>>>
>>>>>>>>
>>>>>>>> If we do not specify the URL on this configuration, where would
>>>>>>>> PacketFence get the value for the AC Web Authentication call?
>>>>>>>>
>>>>>>>>
>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Jorge
>>>>>>>>
>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hello Jorge,
>>>>>>>>
>>>>>>>> what we need is the user mac and the ap information.
>>>>>>>> I found that
>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template
>>>>>>>>
>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip
>>>>>>>> ap-mac ?
>>>>>>>>
>>>>>>>> And if yes can you provide me the url generated by the controller
>>>>>>>> when it redirect ? (haproxy-portal log)
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Fabrice
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a
>>>>>>>> écrit :
>>>>>>>>
>>>>>>>>> Hi Team,
>>>>>>>>>
>>>>>>>>> Any input on this? We really would like to get this to work.
>>>>>>>>>
>>>>>>>>> Thank you!
>>>>>>>>> Jorge
>>>>>>>>>
>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi Fabrice,
>>>>>>>>>
>>>>>>>>> This is the sequence:
>>>>>>>>>
>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
>>>>>>>>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99
>>>>>>>>> 10.0.255.99-backend/
>>>>>>>>> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {
>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1"
>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
>>>>>>>>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/
>>>>>>>>> 127.0.0.1 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99}
>>>>>>>>> "GET /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
>>>>>>>>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~
>>>>>>>>> 10.0.255.99-backend/
>>>>>>>>> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 {
>>>>>>>>> wifi.fispy.mx} "GET
>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>> HTTP/1.1"
>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
>>>>>>>>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99
>>>>>>>>> 10.0.255.99-backend/
>>>>>>>>> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {
>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1"
>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
>>>>>>>>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/
>>>>>>>>> 127.0.0.1 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99}
>>>>>>>>> "GET /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130
>>>>>>>>> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~
>>>>>>>>> 10.0.255.99-backend/
>>>>>>>>> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 {
>>>>>>>>> wifi.fispy.mx} "GET
>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>> HTTP/1.1”
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hello Jorge,
>>>>>>>>>
>>>>>>>>> i will have a look closer.
>>>>>>>>> But i have a question, when the device is forwarded to the captive
>>>>>>>>> portal, (just before
>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>)
>>>>>>>>> , what is the url ?
>>>>>>>>> You should be able to see it in the haproxy-portal.log file.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Fabrice
>>>>>>>>>
>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a
>>>>>>>>> écrit :
>>>>>>>>>
>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> We almost have the configuration working, but are not sure how to
>>>>>>>>>> get the redirect to the client to work correctly. Attached is the
>>>>>>>>>> documentation for Cisco ISE which we used for PacketFence as well.
>>>>>>>>>>
>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC.
>>>>>>>>>>
>>>>>>>>>> This is the format the client should get from PacketFence. This
>>>>>>>>>> is the only piece we are missing for this to work.
>>>>>>>>>>
>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If we manually click on the link above, then the flow of traffic
>>>>>>>>>> works correctly CLIENT > AC > RADIUS (PacketFence), and
>>>>>>>>>> authentication
>>>>>>>>>> works. The problem is that when the user logs in to the portal the
>>>>>>>>>> redirect
>>>>>>>>>> is broken. The parameter for the redirect that PacketFence is
>>>>>>>>>> serving,
>>>>>>>>>> comes from a configuration parameter within the AC. This
>>>>>>>>>> configuration
>>>>>>>>>> works fine for Cisco ISE, but the URL format is not working for
>>>>>>>>>> PacketFence.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> When we configure the redirect this is what the client is getting
>>>>>>>>>> from PacketFence
>>>>>>>>>>
>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> url-template name PacketFence
>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER
>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> AC CONFIG
>>>>>>>>>>
>>>>>>>>>> authentication-profile name PacketFence
>>>>>>>>>> portal-access-profile PacketFence
>>>>>>>>>> free-rule-template default_free_rule
>>>>>>>>>> authentication-scheme PacketFence
>>>>>>>>>> accounting-scheme PacketFence
>>>>>>>>>> radius-server PacketFence
>>>>>>>>>> force-push url https://www.fispy.mx
>>>>>>>>>>
>>>>>>>>>> radius-server template PacketFence
>>>>>>>>>> radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@
>>>>>>>>>> ]<}NMejv3)E^\6;7:NUY%^%#
>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address
>>>>>>>>>> 10.7.255.2 weight 90
>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address
>>>>>>>>>> 10.7.255.2 weight 80
>>>>>>>>>> undo radius-server user-name domain-included
>>>>>>>>>> calling-station-id mac-format unformatted
>>>>>>>>>> called-station-id wlan-user-format ac-mac
>>>>>>>>>> radius-server attribute translate
>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send
>>>>>>>>>> radius-attribute disable HW-Connect-ID send
>>>>>>>>>> radius-attribute disable HW-Version send
>>>>>>>>>> radius-attribute disable HW-Product-ID send
>>>>>>>>>> radius-attribute disable HW-Domain-Name send
>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send
>>>>>>>>>>
>>>>>>>>>> url-template name PacketFence
>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER
>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>
>>>>>>>>>> web-auth-server PacketFence
>>>>>>>>>> server-ip 10.0.255.99
>>>>>>>>>> port 443
>>>>>>>>>> url-template PacketFence
>>>>>>>>>> protocol http
>>>>>>>>>> http get-method enable
>>>>>>>>>>
>>>>>>>>>> portal-access-profile name PacketFence
>>>>>>>>>> web-auth-server PacketFence direct
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> authentication-scheme PacketFence
>>>>>>>>>> authentication-mode radius
>>>>>>>>>>
>>>>>>>>>> wlan
>>>>>>>>>> security-profile name FISPY-WiFi
>>>>>>>>>>
>>>>>>>>>> vap-profile name FISPY-WiFi
>>>>>>>>>> service-vlan vlan-id 900
>>>>>>>>>> permit-vlan vlan-id 900
>>>>>>>>>> ssid-profile FISPY-WiFi
>>>>>>>>>> security-profile FISPY-WiFi
>>>>>>>>>> authentication-profile PacketFence
>>>>>>>>>> sta-network-detect disable
>>>>>>>>>> service-experience-analysis enable
>>>>>>>>>> mdns-snooping enable
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE###
>>>>>>>>>>
>>>>>>>>>> url-template name CISCO-ISE
>>>>>>>>>> url
>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>>>>>>>>>> parameter start-mark #
>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>> https://portal.fispy.mx:8443/login
>>>>>>>>>>
>>>>>>>>>> ####################################
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hello Jorge,
>>>>>>>>>>
>>>>>>>>>> do you have any Huawei documentation to implement that ?
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Fabrice
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users <
>>>>>>>>>> packetfence-users@lists.sourceforge.net> a écrit :
>>>>>>>>>>
>>>>>>>>>>> Hi Team,
>>>>>>>>>>>
>>>>>>>>>>> We were wondering if anyone has had any success in configuring
>>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to get
>>>>>>>>>>> this going.
>>>>>>>>>>>
>>>>>>>>>>> Thank you!
>>>>>>>>>>> Jorge
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>
>>>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>
>
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
